[keycloak-user] Speed up token generation by HMAC or EC-signing
Marek Posolda
mposolda at redhat.com
Tue May 30 10:53:18 EDT 2017
We have JIRA for elliptic curves, but didn't yet came into it.
For signing tokens by HMAC, there is no plan for it AFAIK. It is not
great to sign accessTokens and idTokens by HMAC anyway since the
applications will need to have access to realm signing key. As it is
symmetric stuff. This can be security hole as then the application can
generate and sign tokens by itself. Hence we rather rely on the
asymetric cryptography - Keycloak signs tokens with private key and
application has just public key to verify signatures.
We just have JIRA for support HMAC signed refresh tokens - this is ok as
those refresh tokens are just opaque string for the the application.
Application doesn't need to verify signatures on them.
Marek
On 30/05/17 14:34, Matuszak, Eduard wrote:
> Hello
>
> Since version 2.5 it is possible to choose other signing mechanism than RSA in the realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC for token signing, but it seems, that this does not work: HMAC is ignored despite the priority settings and login will even fail, if HMAC key is the only active/enabled key. It would be nice (and esssential for our purposes for performance issues) to be able to change the signature algorithms and if elliptic curves would be provided as a fast asymmetric alternative to RSA as well. Is this projected for a near-future version?
>
> Best regards, Eduard Matuszak
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list